External-dns access private with EKS and Route53 don't work

Question

I'm using EKS, Route53 and External-dns for my DNS records.

Here is the nginx-ingress I'm currently using

nginx-ingress:
  controller:
    config:
      use-forwarded-headers: "true"
    service:
      annotations:
        external-dns.alpha.kubernetes.io/access: private
        external-dns.alpha.kubernetes.io/hostname: gitlab.${var.gitlab-domain}, registry.${var.gitlab-domain}
        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${data.aws_acm_certificate.cert.arn}
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
        service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
        alb.ingress.kubernetes.io/scheme: internet-facing
        ${var.gitlab-domain}/dns-type: private

My problem is even though I'm using this line: external-dns.alpha.kubernetes.io/access: private, external-dns will add records in both public and private route53 hosted zone. How to do to only have the records in my private zone?

For now, the only workaround I found is to not give the right on the public zone to route53, but it's not a long term solution.

Answer 1

I'm now using annotations filter

I have two external-dns one for the private zone one for the public

I add this to my external-dns helm chart:

set {
    name  = "annotationFilter"
    value = "company.com/dns-type in (private)"
}

And after in my nginx-ingress controller, in the annotations I can use this annotation:

company.com/dns-type: private